Work laptop disconnects when on corporate VPN

robbins · December 6, 2024, 8:42pm

I'm running OpenWRT as a router connected thru a switch to some access points. I have a work laptop using a VPN to the work network, and I can only connect my WiFi for a minute or so. After it disconnects me my network's SSID shows up with this symbol https://answers.microsoft.com/en-us/windows/forum/all/what-does-this-symbol-mean/97617bf9-34d2-4075-8ef3-314813ded511 and says some information has changed and makes me re-enter the password.

The only thing in the logs is this when I connect, nothing on disconnect:

Fri Dec 6 17:58:32 2024 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.1.234 94:f4:3e:64:8a:2f
Fri Dec 6 17:58:32 2024 daemon.warn dnsmasq-dhcp[1]: Ignoring domain WORK-VPN-DOMAIN for DHCP host name HOSTNAME
Fri Dec 6 17:58:32 2024 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.1.234 94:f4:3e:64:8a:2f HOSTNAME

My DHCP config:

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dns_service '0'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

My network config:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd63:7923:640d::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
option ipv6 '0'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.1.1/24'
option delegate '0'

config device
option name 'br-wan'
option type 'bridge'
list ports 'wan'
list ports 'eth2'

config device
option name 'wan'
option macaddr '7a:1c:5e:0b:61:bb'

config device
option name 'eth2'
option macaddr '7a:1c:5e:0b:61:bb'

config interface 'wan'
option device 'br-wan'
option proto 'pppoe'
option username 'USERNAME'
option password 'PASSWORD'
option ipv6 'auto'
option keepalive '0 1'

config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'

config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'

config device
option type 'bridge'
option name 'docker0'

config route
option interface 'lan'
option target '192.168.2.0/24'

brada4 · December 6, 2024, 8:54pm

That your work blocks access to azure connectivity indicator?

robbins · December 6, 2024, 9:03pm

Sorry, what do you mean? The VPN client is Ivanti secure access client. But I'm not sure what azure connectivity indicator has to do with OpenWRT?

brada4 · December 6, 2024, 9:05pm

Exactly, spider symbol has absolutely nothing to do with OpenWRT. Ask your work for help with ivanti and spiders.

robbins · December 6, 2024, 9:13pm

But I'm being disconnected from my local network. So you're saying Azure connectivity monitor thinks I have no internet and is disconnecting me from the network?

Something has to be different though, as the network worked fine when I used my ISPs provided router, so I'm thinking there should be a config I can change to fix this.

brada4 · December 6, 2024, 9:17pm

Ask at your work, they will not jump from joy if you share their setup details in public forum. Maybe network¡ overlap? Idk

psherman · December 6, 2024, 9:21pm

In some cases, that is by design insofar as all traffic might be sent from your device through the tunnel and local network access blocked.

However, there is also the possibility that this is due to a subnet conflict. If the subnet assigned/routed via your VPN is the same as that of your OpenWrt lan, that would account for the loss of local connectivity. In that case, change the lan subnet of your OpenWrt router and try again.

eduperez · December 7, 2024, 8:54am

If DNSMASQ is not the DNS for your LAN, what are you using as a DNS, and how do you configure it on your devices?

The VPN client will probably block access to any device in your network, other than the router.

_bernd · December 7, 2024, 12:34pm

Yes I have seen this with fortigte clients too. If the ssid not in a whitelist then the client disconnects from WiFi. Kinda stupid... But what do I know

robbins · December 11, 2024, 5:05am

Thanks, yes, this was the issue - switched to 192.168.2.0/24 and connectivity was restored.

system · December 21, 2024, 5:06am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.